Cerberus is a well-known banking Trojan for Android that we already discussed in a comprehensive report on how it works in October 2019, when it began to affect Spanish and Latin American entities.

Its popularity has been growing rapidly in recent months, so much so that the differences between the number of detections of this family compared to those of the 'Anubis Bankbot' family, the most popular to date, has been reduced. Of the new features that it incorporates, perhaps the most interesting is its conversion into a Remote Access Trojan (RAT).

This banking malware is back in the news; not only because of its popularity, but because of the new version that has been detected starting February 19, 2020. Nothing new has been introduced in the section on banking credential theft, maintaining the usual Android banking Trojan modus operandi (the use of 'overlays' with phishing).

However, these recent versions of the popular banking Trojan do incorporate several interesting novelties that, little by little, put it on a level with its rival Anubis Bankbot in functionalities.

These new features in Cerberus, in addition to the incorporation of functionality for remote control of the device (RAT), also include theft of the device's unlock pattern and several new features in the control server connection protocol. Thus, this advanced malware has been updated and forces us to take steps to keep up, with improvements in detection and forensic analysis.

Remote Access Trojan (RAT) functionalities

The new samples detected include a RAT functionality that enables the total remote control of the infected device. So now we must speak of Cerberus as a Remote Access Trojan. For this, two new features have been introduced: commands to access the device’s files and commands to start the official TeamViewer application to take full control of the device, including the user interface.

Code responsible for receiving the command from the control server to be executed by the RAT module

In the above code, we can see how the Trojan checks whether it should start the TeamViewer session. Among the parameters of the 'connect_teamviewer' command is the password that must be configured in the TeamViewer client. When this command is received, the banking malware starts the legitimate app and uses the accessibility service to detect its opening and modify the connection password for the password provided by the control server.

Code that checks if the password text field is in the current TeamViewer view

Function that modifies the password field with the one provided by the server

As we can see, once the TeamViewer app opening is detected, the accessibility permissions are used to modify the content of the password text field, thus enabling the remote control session.

On the other hand, the new RAT functionalities also make it possible to list files from a system folder and upload the contents of the desired files to the control server.

Receiving RAT commands for file management

Theft of unlock pattern and Google Authenticator codes

Although there are no new features in the theft of banking credentials, what has been introduced in Cerberus is a specific injection to steal the device unlock pattern configured by the device user. In the following image we can see the code of this advanced malware which, in addition to the injections to steal Gmail credentials and credit card numbers, now includes the injection to steal the unlock pattern.

Code responsible for showing the injections for credential and pattern theft

Injection that simulates the unlock screen to steal the pattern

In addition to the theft of the unlock pattern, this new version of Cerberus, now also a RAT, implements functionality to steal the second authentication factor codes generated through the Google Authenticator application. To do this, it simply makes use of the accessibility service, and through it reads the contents of the interface and sends the codes to the control server.

Changes in sending data to the server

As we can see in the following image, the variables that are sent to the control server and their values are changed every time data is sent.

Variables sent in the request to the server

The 'q' parameter tells the server what action is to be performed, while the rest of the parameters do not seem to be really useful, except for the 'ws' parameter, whose value corresponds to the JSON encrypted with RC4 that contains the information to send (stolen data, device information, etc.)

get_new_patch: this request is made to receive an APK file as a response, which contains the complete banking credential theft module. This APK is used to dynamically load the 'classes.dex' file.

Loading of the downloaded module and execution of the ' main' function

After loading and executing the main code of the downloaded module, it is responsible for making the 'is_attacker' request with the list of installed applications, which receives as a response the subset of applications affected by malware among those installed. Finally, the 'd_attacker' request is made to download the encrypted HTML file with the phishing web used in the 'overlays' to steal banking credentials.

Conclusions

In the last several weeks, the Cerberus banking malware developers have made a recent version of the Trojan available to their buyers. It includes new features, primarily designed to provide attackers with the tools necessary to remotely control the device through the TeamViewer application. Now converted into a remote access Trojan (RAT), Cerberus is renewed and reinforced, and requires strengthening RAT detection measures.

This movement is a clear attempt to unseat its main rival, Anubis Bankbot, which already had modules for the remote control of the infected device. Cerberus’ developers are trying to improve their creation to catch up with regard to functionalities and support of affected applications, which has already included Spanish and Latin American banking entities since October 2019.

After this update we must remain alert, as we can expect new samples and new versions that introduce even more new features in terms of functionality and with regard to banking entities affected by this advanced malware.